"net groupfilter" ?
Gerald (Jerry) Carter
jerry at samba.org
Tue Dec 16 15:39:48 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
> On Tue, Dec 16, 2008 at 09:27:35AM -0600, Gerald (Jerry) Carter wrote:
>> This is exactly how idmap_ad[ex] works now though. I don't see how
>> what you are proposing is a larger change. Seems like the filtering
>> just needs to be placed in the idmap plugin and you are done.
> I wasn't sure this works fully correctly also for calls like
> wbinfo -g, getent group <groupname> for nested groups and so
> on. Sorry if I'm wrong there.
Since wbinfo -g doesn't go through NSS, there is no possibility
to filter at the SID/gid mapping layer. For enumeration via
NSS (set/get/endgrent), this works fine. Winbind enumerates all
groups/SIDs and then drop the ones that don't map. I can't
remember if this is done for group members (i.e. users) in the
getgrnam() response. If not, that is easy to fix.
It also allows the NT token to be a superset of the Unix token
if not all SIDs map to a uid/gid.
>>> The patch as posted here is the quick and dirty fix for smbd
>> I'm confused. Not running Winbind implies that the Windows
>> users and groups match a local unix user and therefore you
>> shouldn't really have the > NGROUPS issue. And if you run Winbind,
>> Just add the filter to the idmap backend and case closed.
>> So the smbd-only patch is really the wrong place to solve it IMO.
>> Am I explaining myself ok?
> Yes, thanks. I'll keep this locally until I've come up with
> a proper, acceptable patch.
> Thanks for the review,
Np. Good luck.
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical